ReversingLabs Threat Analysis and Hunting Solution January 2023 Update: Driving SecOps Forward

ReversingLabs is today announcing new features for its Threat Analysis and Hunting Solution (A1000), which offers customers an instant malware lab with static and dynamic analysis for all of your company’s files and binaries. The solution  integrates with ReversingLabs file reputation services to provide in-depth rich context and threat classification, and also supports visualization, APIs for automated workflows, global and local YARA rules matching, and integration with third-party sandbox tools. 

Analysis outcomes from A1000 are mapped to the industry standard MITRE ATT&CK framework for ease of use and correlation with other security solutions. This context allows analysts to effectively defend against both wide-spread and targeted attacks, accelerating investigations and response activities.

ReversingLabs Threat Analysis and Hunting Solution provides values to organizations in a number of ways, by improving their security posture and reducing cyber risks, while ensuring data and file privacy. Additionally, organizations are able to decrease operational workload and tool costs. Practitioners benefit by using our solution's advanced technology to reduce MTTD and to prioritize malicious files for triage. 

Technology Update Drives Security Operations Forward

In the newest version of ReversingLabs Threat Analysis and Hunting Solution, several updates have been made to improve the overall quality and efficiency of our platform.  

Improvements to network and dynamic analysis technologies are integral to this solution version. This includes new IP classification network threat intelligence, support of pre-built Sigma and Snort rules, and historic reports for past analyses via ReversingLabs Cloud Sandbox. In addition to analysis, the solution’s search capabilities have become more efficient, bringing benefits to our customers. 

Below, we break down these major solution updates for you. 

Figure 1: ReversingLabs A1000 Tool - Network Threat Intelligence Interface

Having an accessible and smart interface while using our cutting-edge technology is what makes ReversingLabs Threat Analysis and Hunting Solution an essential tool for our customers. Using customer feedback and internal testing, our team has taken the steps to continue improving ReversingLabs Network Threat Intelligence. 

The latest version of the Threat Analysis and Hunting Solution includes a tab for IP address threat intelligence on the URL summary page, similar to previously added tabs for URL and domain threat intelligence. The data is retrieved from ReversingLabs Threat Intelligence platform, yielding a list of top threats, IP reputation, threat level, and a list of related URLs and domains.  

This newly added IP analysis enables users to investigate IP address reputation and provide this intelligence to their SOAR or other solutions, allowing users to block malicious IP addresses. This contributes to having better network threat intelligence data overall, improving the effectiveness of an organization’s operations and practitioners.  

Enhancements to ReversingLabs Cloud Sandbox

Snort and Sigma Rules

Figure 2: ReversingLabs A1000 Tool - Cloud Sandbox Analysis Summary - Historic Reports - Snort Rules

ReversingLabs Cloud Sandbox, a key element to our Threat Analysis and Hunting Solution, has now been enhanced to include pre-built Snort and Sigma rules. By providing these custom rules, similar to our pre-existing file rules for YARA,  the capabilities of Cloud Sandbox have expanded to include the analysis of network and operating system log events. 

These pre-built rules serve different purposes. Snort rules are for network events, for example, notification of an attempted information leak or web application attack. Sigma rules on the other hand are used to notify a user of a suspicious or malicious log event. 

The metadata drawn from these additional rules is important for malware detection and identification purposes, because it tells a user when a malicious behavior has occurred on the network or operating system log level. This type of data cannot be extracted from static analysis alone, making ReversingLabs Cloud Sandbox a key part of this solution.  

Historic Reports

Figure 3: ReversingLabs A1000 Tool - Cloud Sandbox Analysis Summary - Historic Reports - Sigma Rules

At ReversingLabs, we believe in helping our customers save time and resources. Previously, if users ran static analysis on a sample, they would need to run the sample separately through dynamic analysis (via ReversingLabs Cloud Sandbox). Now, when users process a sample through static analysis, they can also view all Historic Reports from past Cloud Sandbox analysis on the Sample Summary page. 

The latest version of this solution now has the capability for users to view previously run dynamic analysis reports to enrich investigations, save daily sample quota, as well as save sample analysis time. Users can decide if the report data is current enough to use, or if they need to submit the sample for dynamic analysis again for the most up-to-date results.

Historic Reports will now provide the user with immediate insights from the large and mature base that is ReversingLabs data corpus, offering our customers richer investigations without spending additional Cloud Sandbox quota. 

Improved Smart Search Navigation

Figure 4: ReversingLabs A1000 Tool - Smart Search Navigation - IP Analysis

The newest version of ReversingLabs Threat Analysis and Hunting Solution eliminates an intermediate step for users, making a search for a single hash, URL, domain or IP address more efficient. Thanks to this improvement, a search on either a hash or URL will reveal the Sample Summary page for that specific item. Additionally, a search on either a domain or IP address will yield information from the Network Threat Intelligence page, based on the ReversingLabs data corpus. 

This improved search feature provides additional threat intelligence that offers richer network analysis, and customers are afforded a more efficient Smart Search process. 

Going Above and Beyond our Customers’ Expectations

ReversingLabs will continue to improve Threat Analysis and Hunting Solution, so that organizations can continue to have robust programs that can help mitigate today’s most serious malware threats. 

Updates made to the most recent version of the ReversingLabs Threat Analysis and Hunting (A1000) platform, such as improved network threat intelligence, Cloud Sandbox enhancements, plus more efficient Smart Search navigation, will benefit our customers and the mission of ReversingLabs. 

About ReversingLabs

Over 10 years ago, ReversingLabs invented binary threat analysis to become the leading provider of file threat intelligence. ReversingLabs offers actionable context so IT and SOC teams can prioritize threats and optimize existing security tools. ReversingLabs solutions enable high-speed file classification via one of the largest malware and goodware sample repositories and expedite malware analysis with automated static and dynamic analysis. The most advanced security vendors use ReversingLabs solutions to enrich their file intelligence and provide better protection to their customers.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.